Retail is increasingly moving online, a trend that has only been accelerated by the impact of Covid-19. However, with this shift comes new risks from cybercriminals. Airline Maersk suffered a devastating ransomware attack in 2017, forcing it to reinstall over 4000 servers, and Reckitt Benckiser, whose brands include Durex and Dettol, lost £100m in an attack in the same year. Since then the risks have only grown.
To discuss this issue, and how health services should respond to cyber threats, the New Statesman convened a virtual round table discussion, sponsored by Sophos. The chair was Edward Qualtrough, the technology editor for the New Statesman Media Group.
The chair began by asking Mantas Sasnauskas, Senior Information Security Researcher at Cybernews, to give some reflections on the cybersecurity issues facing the retail sector. “Ransomware and data-leaks are on the rise,” Mantas explained, and will probably continue to increase. The challenge is that there is no “one true way” to protect companies and organisations from this threat.
Neil Arklie, head of cyber insurance at Aviva, pointed out that retail businesses are facing multiple threats at the moment, ranging from the impact of Covid-19 on sales to Brexit and potential legislative changes. Neil believes it is possible and necessary to look at cybersecurity risks and, “reach an equilibrium where it becomes a manageable exposure.”
“Cybersecurity in retail is absolutely at a difficult stage,” said Jon Hope, senior sales Engineer at Sophos. Retail, along with education is the most targeted sector. A survey for Sophos found that 44 percent of retail organisations had been the target of a ransomware attack in the previous year. Many more traditional “bricks and mortar” shops had to quickly open or expand their online sales in response to Covid-19, creating additional challenges for cybersecurity. The damage to an organisation can also be worse for a retail business, Hope explains, because customers can easily go elsewhere in comparison to education or healthcare providers.
Ivan Brooks, CIO advisory and board consultant, focused on governance and accountability noting that, while it was a board-level responsibility, “there’s a lot of weight to be carried by the finance director by the commercial team and director, certainly by the CEO.” That is particularly the case when dealing with the broader controls in the business. “The security drum needs to be beaten to the pace of the organization to the rhythm of the organisation, and it needs to be across the total company,” he added. Brooks wants to get to an environment where companies realise the threat and make proactive investments, instead of having to react to something that’s already happened.
The discussion then focused on ransomware, with Mantas explaining that the “whole landscape of ransomware gangs is changing.” In response to some forums acting to stop the sharing of stolen data, much of the sharing of that data has shifted to the dark web, he explained. Some of the current ransomware gangs are frequently renaming and rebranding themselves, while other new ones have emerged – including groups that had previously bought in ransomware expertise developing their own capabilities. All of this helps keep these gangs and their members out of the “spotlight” and more difficult to track.
Jon Hope added that while attacks on retail were as likely to be “successful” compared to other sectors (around 54 percent of attacks resulted in attackers encrypting data), the sector was slightly better at blocking those attacks compared to others. However, he continued, retail is the target for a new and as yet unnamed attack where cyber criminals steal data from an organisation, then going back to them to extort money with the threat that if they do not pay out, the criminals will go public and let everybody know that this organisation’s security is weak and they have got its data. “They’re not actually encrypting the data, they’re not blocking access to the data, but they’re still using that data as a method of extortion,” he explained.
While 32 percent of organisations chose to pay ransoms to get their data back, according to Sophos’s research, Hope said they found that only 67 percent of that data is actually retrieved. So, setting aside the moral and ethical arguments about paying ransoms, the evidence shows it is also not necessarily an effective way to get your data back compared to restoring from backups, he added.
“Cyber insurance certainly has to change and is changing quite rapidly,” said Neil Arklie. He set out how the insurance market for cybersecurity had developed to around $5 billion globally, and pointed out that like most market, it goes through “cycles.” Ransomware attacks are a particular concern at the moment, “these caught a lot of people by surprise,” he explained. The larger risk is that these attacks become “high severity and high frequency,” which would have an impact on whether something could become “uninsurable.”
As a result, Aviva have focused on working with their clients on risk management with cybersecurity and with cyber resilience to ensure business continuity in a range of different scenarios. However, there is a challenge in doing this because of a lack of recognised standards in the technology, such as for multi-factor authentication, in the way there are standards for physical security like locks. Arklie also noted that the retail sector is behind others such as finance and healthcare in insuring themselves against these risks. One of the reasons for this is companies in retail operate on quite small margins which means they do not invest in cybersecurity and cyber resilience despite the risks to business continuity and to reputation.
Jon Hope reflected that there are two potential levers that could be used to help move retail towards a better cybersecurity position. He believes that GDPR compliance and insurance are the most effective levers for change.
In response to a question on whether insurance is changing the behaviour of cybercriminals, Mantas Sasnauskas explained that while some gangs do look at whether their targets are covered by insurance as part of their “reconnaissance”, it is not widespread practice. He added that a lot of companies choose not to risk the reputational damage by reporting attacks to law enforcement, and they make the same calculation when choosing whether to make an insurance claim. So, this is all feeding a grow problem. “My personal opinion is that unless payments are going to be made illegal then they’re going to continue,” he said, “it’s bigger than the like drug cartels used to be in Central America or South America.”
Sasnauskas explained that the business model of cybercrime will change in the near future, responding and adapting to changes in regulation and the law. Automation is also likely to come more into play, where criminals can use it to look for vulnerabilities and automatically exploit them. “The future is already here, and you’re living with it, we have to adapt to it,” he said. John from Sophos responded that the cybersecurity industry is also making greater use of automation to help secure systems and networks from attacks, and reducing the workload so that staff in cybersecurity can spend more time on other tasks, such as training frontline staff or review policies and practices.
The group also discussed the role of the Chief Security Officer (CSO). Neil Arklie explained that Aviva look for who is responsible for cybersecurity when look at a company. “Their voice should be heard loud and clear by senior management,” he added. Ivan Brooks said he strongly preferred the CSO to be outside of the IT team, maybe at the same level as the audit function. He added that companies need to work with staff to ensure they are well trained and supported to guard against cyber risks. For Jon Hope, the role of CSO is about ensuring someone with a security focus is involved in projects at an early stage so that it is built in early and does not get “steamrolled by the business objectives.”
The conversation concluded with a discussion of the challenges around “third parties” such as supply chains and even employees. Jon Hope said the “borderless approach” of allowing a partner organisation to connect without any level of control is “a recipe potentially for disaster.” This should be addressed through putting checks and controls the partnership agreement. He mentioned the concept of “Zero Trust” where “every single endpoint, every single individual machine, every single individual user is audited.” This means their level of privilege and their identity is completely confirmed before any access is granted. In practice it also means that exposure to certain functions, and hence certain risks such as phishing attacks, can be restricted. Neil Arklie cautioned seeing employees as a risk, “It’s how you set up your systems to contain a potential threat that comes through and make sure it’s not catastrophic,” he said.